server/users: let authorized users GET themselves

2016-06-11 09:49:13 +02:00 · 2016-06-11 09:49:13 +02:00 · 616854fb1b
commit 616854fb1b
parent b5aa3e75c4
2 changed files with 4 additions and 2 deletions
--- a/server/szurubooru/api/user_api.py
+++ b/server/szurubooru/api/user_api.py
@ -40,8 +40,9 @@ class UserListApi(BaseApi):

 class UserDetailApi(BaseApi):
    def get(self, ctx, user_name):
-        auth.verify_privilege(ctx.user, 'users:view')
        user = users.get_user_by_name(user_name)
+        if ctx.user.user_id != user.user_id:
+            auth.verify_privilege(ctx.user, 'users:view')
        return _serialize(ctx, user)

    def put(self, ctx, user_name):
--- a/server/szurubooru/tests/api/test_user_retrieving.py
+++ b/server/szurubooru/tests/api/test_user_retrieving.py
@ -74,8 +74,9 @@ def test_trying_to_retrieve_single_non_existing(test_ctx):
            '-')

 def test_trying_to_retrieve_single_without_privileges(test_ctx):
+    db.session.add(test_ctx.user_factory(name='u1', rank=db.User.RANK_REGULAR))
    with pytest.raises(errors.AuthError):
        test_ctx.detail_api.get(
            test_ctx.context_factory(
                user=test_ctx.user_factory(rank=db.User.RANK_ANONYMOUS)),
-            '-')
+            'u1')